Failed to renew certificat

I’m trying to renew my certificate using the command /etc/certbot-auto renew
Unfortunately, the renewal failed with an error by Waiting for verification…
Challenge failed for domain jeedom-roudaer2.spdns.eu
http-01 challenge for jeedom-roudaer2.spdns.eu

Web server is Apache 2
Any idea of the root cause of this issue ?
Many thanks in advance for support

Processing /etc/letsencrypt/renewal/jeedom-roudaer2.spdns.eu.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jeedom-roudaer2.spdns.eu
Enabled Apache rewrite module
Waiting for verification…
Challenge failed for domain jeedom-roudaer2.spdns.eu
http-01 challenge for jeedom-roudaer2.spdns.eu
Cleaning up challenges
Attempting to renew cert (jeedom-roudaer2.spdns.eu) from /etc/letsencrypt/renewal/jeedom-roudaer2.spdns.eu.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jeedom-roudaer2.spdns.eu/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jeedom-roudaer2.spdns.eu/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: jeedom-roudaer2.spdns.eu
  Type: connection
  Detail: Fetching
  http://jeedom-roudaer2.spdns.eu/.well-known/acme-challenge/AEZC2mGGO77qkOzHwgs0f90j7jVga-53kbVb5bleNP8:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify

Hi @roudaer2

if you want to use http-01 challenge, an open port 80 is required.

But your port 80 / http doesn't answer ( jeedom-roudaer2.spdns.eu - Make your website better - DNS, redirects, mixed content, certificates ):

Only timeouts.

So:

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge.

Hi Juergen,
Many thanks for the tip. After having opened the port 80, I’ve been able to renew my certifictae.
Is there another way to renew a certificate for instance using SSL port 443 ?

Cheers

Eric Roudart

Check

dns-01 and alpn-01 are possible.

But if you have a website, port 80 should be open.

With a redirect http -> https.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.